1. Field of the Invention
The present invention relates generally to a system and methods for managing security keys in a wireless network.
2. Description of the Related Art
The advent of wireless high speed packet data has caused the Radio Access Network (RAN) in wireless networks to evolve from a circuit-switched to a packet-switched network, in an effort to meet the high capacity demand efficiently and to interface and operate with other packet data networks. As a consequence, the RAN network elements (NEs), such as computers and/or servers in Radio Network Controllers (RNCs) and/or base transceiver station (BTSs), and interfaces between these NEs have been exposed to the IP traffic. This may introduce security threats and vulnerabilities to the NEs that needed to be resolved.
One line of defense adopted to protect the RAN NEs from these security threats and vulnerabilities has been to replace existing non-secure communication protocols used by the RAN with secure protocol versions, such as Secure Shell (SSH) and IP security (known as “IPsec”). SSH is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. SSH provides strong authentication and secure communications over unsecure channels. IPsec is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer.
These protocols require public/private key pairs, digital certificates and other credentials to be populated in each network element in the network, in order to support strong authentication and public key cryptography. These credentials must be generated, provisioned to the network elements and in general managed in a way that is secure and based on trusted sources, such as via a manual out-of-band procedure or by employing some type of an automated process via exchange of digital signatures.
In a wireless access network, the network elements that host the security credentials (i.e., key pairs and digital certificates) are the computers and servers in the Radio Network Controller (RNC) and/or the base transceiver station (BTS). In order to manage these credentials in a large network, with several thousand BTSs, the procedures should be automated so that the operation becomes manageable. The alternative is to manage these processes manually, which would substantially increase maintenance cost, lower operational efficiency and which likely would be more prone to human errors and/or security breaches. The scalability problem posed by providing security key management in networks having a substantial number of BTSs (hundreds, thousands, etc.) should be addressed.